Security Gaps in Smart Infusion Pumps Risk Patient Data75% of 200,000 Devices Analyzed Contained Known Vulnerabilities
An "alarming" number of cybersecurity gaps in smart infusion pumps - network-connected devices that deliver medicines to patients - have put the lives and data of patients at risk.
Researchers at cybersecurity firm Palo Alto's Unit 42 say that 75% of the 200,000 smart infusion pump networks they scanned contained known security gaps.
The crowdsourced data belonged to hospitals and other healthcare organizations.
"These shortcomings included exposure to one or more of 40 known cybersecurity vulnerabilities," says Aveek Das, senior researcher at Palo Alto Networks. He adds that the devices may also have been affected by one or more of 70 known IoT device security shortcomings.
More than half - 52% - of all smart infusion pumps scanned were susceptible to two known vulnerabilities that have been disclosed since 2019, the researchers say. One is a critical vulnerability, tracked as CVE-2019-12255 with a CVSS score of 9.8.
This vulnerability is part of a collection of vulnerabilities that security vendor Armis calls "Urgent/11." In 2019, Armis disclosed 11 different zero-day vulnerabilities within VxWorks, a real-time operating system used in some 2 billion embedded systems, including medical devices, routers, VOIP phones and even mission-critical infrastructure equipment (see: 'Urgent/11' Vulnerabilities Affect Many Embedded Systems).
The other vulnerability in the smart infusion pumps, tracked as CVE-2019-12264, is a high-rated vulnerability with a CVSS score of 7.1.
One of the common vulnerabilities researchers observed was specific to the infusion systems and could be grouped into several categories, such as leakage of sensitive information, unauthorized access and overflow. Other vulnerabilities stem from third-party TCP/IP stacks but can affect the devices and their operating systems, the Unit 42 researchers said.
Leakage of Sensitive Information
The researchers also observed a large number of vulnerabilities on internet of medical things devices, which may risk leakage of sensitive information.
Vulnerable devices can leak operational information, patient-specific data, or device or network configuration credentials. But the attacker looking to exploit such vulnerabilities needs varying degrees of access to get to this information. The means could either be remote exploits or physical access.
"CVE-2020-12040, which is specific to clear-text communication channels, can be remotely exploited by an attacker via a man-in-the-middle attack to access all the communication information between an infusion pump and a server," the researchers say.
Overflow and Unauthorized Access
Some vulnerabilities could be exploited to cause overflow or incorrect access control, which can give unauthenticated users the ability to gain access to a device or to send network traffic in a certain pattern, the researchers say. This, in turn, could cause a device to become unresponsive, they say. In the healthcare world, this can cause severe disruption to hospital operations and patient care.
"The possibility of unauthorized access isn’t limited to the successful exploitation of vulnerabilities. Continuous use of default credentials, which are readily available online via a simple search, is another major issue in IoT devices in general - since it can give anyone who is in the same hospital network as the medical devices direct access to them," the researchers say.
Vulnerabilities in Third-Party TCP/IP Stacks
While being aware of vulnerabilities in the infusion systems is necessary, there's more to the process of staying secure, according to the researchers.
"Many IoMT (and IoT) devices and their operating systems use third-party cross-platform libraries, such as network stacks, which might have vulnerabilities affecting the device in question. For example, for CVE-2019-12255 and CVE 2019-12264, the vulnerable TCP/IP stack IPNet is a component of the ENEA OS of Alaris Infusion Pumps, thereby making the devices vulnerable," the researchers say.
Common Security Alerts in Infusion Systems
The researchers also discuss some of the most common security alerts raised on the analyzed smart infusion systems:
- Excessive count of TCP reset packets sent from unestablished connections;
- Invalid user agent string (garbage values) observed in an HTTP request in IoMT device;
- Unencrypted sensitive login information observed in an HTTP request;
- Manufacturer factory default username and password in inbound HTTP login;
- Suspicious (high and not commonly observed) port number in network traffic;
- Unsecured outbound HTTP connections from IoMT device to the internet;
- FTP anonymous login (without specific username/password) via local network;
- Manufacturer factory default username and password in the inbound FTP login;
- Unsecure outbound FTP connections from IoMT device to the internet;
- Unsecure HTTP service hosted on the IoMT device.
The problems of smart infusion pumps may well be problems of all IoT devices.
Basic cybersecurity hygiene is key, says John Stock, product manager at cybersecurity firm Outpost24.
"Patching and updates are not performed because it takes time and effort to get them done. People skip updates until a 'better time,' essentially taking the choice to leave themselves at risk without the end user even realizing it," he tells ISMG.
But Stock says mitigation methods, such as forced auto-updates, especially for healthcare products, aren’t always an option, and other solutions, such as swapping them for newer units, can be expensive and not viable.
Following the principle of designing security in mind is key, Stock says. The NCSC has set specific requirements and guidelines for these devices, he says, but the guidelines are not an international requirement.
Securing Infusion Pumps
With attack surfaces widening and attack vectors becoming more refined than ever, healthcare organizations must define medical device security with a new level of sophistication, the researchers at Unit 42 say.
They recommend that healthcare organizations protect their systems against attackers by doing the following:
- Accurately identifying devices on their networks;
- Assessing risks by evaluating device profiles for vulnerabilities, exposures or security advisories;
- Detecting anomalies with machine language-driven continuous monitoring;
- Enabling built-in prevention for attacks exploiting these vulnerabilities, including known and unknown threats, with automated Zero Trust policy recommendations and enforcement.
IoMT devices require actionable insights into detection and prevention of known threats against infusion pump devices for a swift response for threat mitigation, the researchers say.
"Built-in prevention capabilities help block known targeted IoT malware, spyware and exploits, preventing the use of DNS for C2 and stopping access to bad URLs or malicious websites to help prevent the loss of sensitive data," Das says.